When reliance on a SAS 70 fails 2430

  • We have an issue where management receives reports from a third-party vendor. The vendor also provides an annual SAS 70 Type II report. Management relies on the information in the reports and has identified errors in the reports. The errors were reported by management to the vendor who stated they would fix the error. However, the ‘fix’ was done incorrectly and made the issue worse. These errors were identified after g/l entries and financial statements had been finalized.
    To make a long story short, the SAS 70 control failed. Has anyone experienced this type of issue and if so, what was the resolution?

  • Hi,
    I have not experienced this type of situation. However, the control deficiency that was identified in the SAS 70 Report should be considered for potential impact on the previously reported FS.
    If the FS do not require restatement (the deficiency does not result in a material change to the amounts and balances), you might not require further action.
    Ultimately, management takes ownership for the financial information contained in the FS. A control deficiency that is not properly included in the SAS 70, or one that is not remediated effectively does not necessarily mean that the FS are in error or are unreliable.
    The auditor can use judgment to determine the proper treatment.
    The clause below might be helpful…
    Based on our review of Company X’s SAS 70 Type II Report, the controls upon which we rely in part were appropriately addressed without exception except for …describe the process here…, to which we believe sufficient mitigating controls exist at both Company E and COMPANY B.
    In short, if the opinion in the SAS 70 was incorrectly reported, this does not mean that the FS were materially issued.
    Hope this helps,

  • hi,
    I agree with milan that you will need to evaluate the exception just like you evaluate any exception you find in your own testing.
    We are having a slightly different problem. Our service organization provided a clean SAS 70 Type 2 report, but we have found a significant number of errors in the work that they perform, leading us to question the validity of the SAS 70.
    COSOs recently released Guidance on Monitoring Internal Control Systems Exposure Draft talks about SAS 70s. If a SAS 70 is not available or if the risk warrants, user organizations may determine they need to perform their own evaluations of controls. ‘In fact, a ‘right to audit’ clause is often included in contracts between user and service organizations.’
    Depending on your level of discomfort, you may want to review your contract for a right to audit clause.

  • KAK,
    That is exactly the problem we are having and I obviosuly did not explain myself well in my original post. 😄 That is a great idea about the right to audit clause. I will do some research.

  • Better to concentrate on the cause of the failure then to worry about SAS 70 controls failing. The problem is and has always been that SAS 70 allows organizations to define their own controls. Because of this I have seen constant failures, security issues, and just about every issue SAS 70 works to remediate. The very controls set forth that by an organization can help them pass a SAS 70 audit with no problem, but in actuality, they do little to control access, or production system quality.
    Ask yourself this, what would your audit do differently? They passed the SAS 70 audit for a reason. Obviously it is not difficult to get all the approvals and permission you need to put code that breaks a system into a production environment.
    A right to audit would be a good thing, but auditing the controls that failed is a waste of time. They already failed. The audit needs to focus on QA methodologies, unit testing, source and revision control, and various other components that drive the real success or failure of a firms work, not just the visibility into changes. 90 percent of time I see control points signed off on or escalated and then signed off on, without any regard to quality because the bottom line is that if you see repeated failures in a firm, they may be humoring their guidelines with the intent to only satisfy audit.

Log in to reply